News
Internet Bug Fix Spawns Hacker Backlash
Security researchers are criticizing hacker Dan Kaminsky for keeping quiet about technical details of a critical DNS flaw
By Robert McMillan, IDG News Service (San Francisco Bureau)
"Here comes the onslaught of interviews and media explosion for another overhyped bug by Dan Kaminsky," wrote a jaded (and anonymous) poster to the Matasano blog.
Over at the SANS Internet Storm Center, a highly respected security blog, one blogger speculated that Kaminsky's bug had actually been disclosed three years earlier.
Kaminsky, who is director of penetration testing with security vendor IOActive, said that he was "vaguely surprised" by some of the negative reaction, but that this kind of skepticism was vital to the hacker community. "I'm breaking the rules," he admitted. "There's not enough information in the advisory to figure out the attack and I'm bragging about it."
According to DNS expert Paul Vixie, one of the few people who has been given a detailed briefing on Kaminsky's finding, it is different from the issue reported three years ago by SANS. While Kaminsky's flaw is in the same area, "it's a different problem," said Vixie, who is president of the Internet Systems Consortium, the maker of the most widely used DNS server software on the Internet.
The issue is urgent and should be patched immediately, said David Dagon, a DNS researcher at Georgia Tech who was also briefed on the bug. "With sparse details, a few have questioned whether Dan Kaminsky had repackaged older work in DNS attacks," he said in an e-mail interview. "It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."
By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."
Kaminsky's remaining critics will have to wait until his Aug. 7 Black Hat presentation to know for sure, however.
The security researcher said he hopes that they show up for his talk. "If I do not have the exploit," he said. "I deserve every single piece of anger and distrust."
Other stories by Robert McMillan
DNS flaw
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
